Presentation is loading. Please wait.

Presentation is loading. Please wait.

Meeting TENACE PhD Session Fai della Paganella, 11 febbraio 2014 R esilient C omputing L ab A methodology and supporting techniques for the assessment.

Published byJasmine Old Modified over 9 years ago

Similar presentations

Presentation on theme: "Meeting TENACE PhD Session Fai della Paganella, 11 febbraio 2014 R esilient C omputing L ab A methodology and supporting techniques for the assessment."— Presentation transcript:

1 Meeting TENACE PhD Session Fai della Paganella, 11 febbraio 2014 R esilient C omputing L ab A methodology and supporting techniques for the assessment of insider threats Nicola Nostro Tutors Bondavalli Andrea, Di Giandomenico Felicita Università degli Studi di Firenze

2 Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 2 Subject of the research Nowadays the life of each of us is highly dependent on critical infrastructures. Characterized by heterogeneity, and dynamicity They may be prone to failures, intrusions, and attacks from outside and inside. It is crucial to design systems ensuring resilience and security.

3 Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 3Context Security is a major challenge for today’s companies. Security measures are attentively selected and maintained to protect organizations from external threats. Several tools and solutions are available for this scope firewalls, antivirus, intrusion detection systems,… What happens inside the system?

4 Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 4Motivations Amongst the multitude of attacks and threats to which a system is potentially exposed, there are insider attackers. They are difficult to detect and mitigate due to the nature of the attackers. How to detect data theft or sabotage by malicious insiders? These activities can be difficult to differentiate from legitimate uses. Protecting from insider threats requires a deep study on the socio- economical profiles, possible actions, and the impact of these actions on the system. Insider attackers constitute an actual threat for ICT organizations. This calls for a tailored insider threats assessment activity

5 Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 5Objectives Define a methodology and supporting libraries for insider threats assessment and mitigation. Evaluate the possibility that a user will perform an attack, the severity of potential violations, the costs. Identify proper countermeasures.

6 Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 6 The methodology in 6 steps ◊ Identification of components ◊ Interactions ◊ Functional description System under analysis Profiling potential Insiders Insider Threats Iteration and Update ◊ All users are identified ◊ Definition of attributes ◊ Identification ◊ Description ◊ Selection proper countermeasures ◊ Reference to a predefined library Attack paths ◊ Identify exploitable paths ◊ Set up the modeling approach Countermeasures selection ◊ Reference to a predefined library ◊ Potential consequences ◊ Evaluation

7 Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 7 Methodology - System description A system is characterized by a number of resources: services, computers, removable drives, etc. more communication networks users, which can use the system or in general interact with it new features can be integrated over time, due to the evolution of technologies, and the update of system specification or requirements. Providing a formal description of the overall system, may be expensive in terms of time.

8 Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 8 Methodology - System description A semi-formal description limited to the aspects of interest of the system and the interactions that users may have with it, is appropriate. Through a semi-formal notation, it is possible to immediately understand the description of the system by using graphical notations along with natural language descriptions. UML use case diagrams allow to describe the system's functionalities and use case scenarios, from the point of view of the users/insiders, and the use case descriptions are shown in tables.

9 Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 9 Methodology – Insiders ’ profile Identify a taxonomy of system users and potential attributes A predefined library of insiders to consider which constitute a consistent reference library describing the human agents involved in IT systems and that could pose threats to such kind of systems eight attributes defined: Intent, Access, Outcome, Limits, Resource, Skill Level, Objective, Visibility T. Casey, “Threat Agent Library Helps Identify Information Security Risks,” Intel White Paper, September 2007

10 Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 10 Methodology – Insider threats We can identify a number of threats of different type of severity, related to the actions performed by the insiders install malicious software/code, create backdoors, disable system logs and anti-virus, create new users, plant logic bombs, perform operation on data base. The idea is to list the possible threats and try to associate them to the previously identified insiders

11 Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 11 Methodology – Attack Paths Identify the path(s) exploitable by the insider(s) to realize the threat(s) and achieve the goal(s). A critical step, especially if we think of unknown paths Many insiders are able to set up unexpected attack paths, that are unknown Several techniques exist and are very useful for determining what threats exist in a system and how to deal with them attack trees, attack graphs, privilege graphs, ADVISE Evaluate success rate and effects of the attack is of paramount importance, allowing to get information on the probability of occurrence of an attack.

12 Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 12 Methodology – Countermeasures Selection of the proper countermeasure(s), to avoid or mitigate the identified threat(s). A defined library which lists the countermeasures can be used. Introduction of such countermeasures may require to re-assess the system. In case a model of the system and of the countermeasure is available, these can be integrated with the attack path.

13 Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 13 Methodology application – System & Insider Profiling Insiders: Operator, Domain expert, Unknown user, System Expert, System Administrator (SA) System Maintenance Use Case Actor/s: SA Pre-condition: The actor must be authenticated. Post-condition: The SA has full access to the system. Description: Apply OS patches and upgrades on a regular basis the system, and the administrative tools and utilities. Configure/add new services as necessary. Upgrade and configure system software or Asset Management applications. Maintain operational, configuration, or other procedures. Perform periodic performance reporting. Perform ongoing performance tuning, hardware upgrades, and resource optimization. Data Management Actor/s: SA Pre-condition: The actor must be authenticated. Post-condition: The SA has full access to the data. Description: Perform daily backup operations, ensuring the integrity and availability of data. Profile Management Use Case Actor/s: SA Pre-condition: The actor must be authenticated. Post-condition: The SA has full access to the system data. Description: Create, change, and delete user accounts. Crisis Management Use Case Actor/s: SA Pre-condition: The actor must be authenticated. Post-condition: The SA has full access to the system data. Description: Repair and recover from hardware or software failures or from cyber attacks. Coordinate and communicate any recovery actions.

14 Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 14 Methodology application – Insider Threats Threats 123456789101112131415 InsiderDisabl e system logs Corrup t data View confid ential data Add not require d service s Impro per config uration Impro per user manag ement Elevat e users privile ges Install vulner able suppor ting sw Install vulner able Secure ! service s Use of defecti ve hw Transf er confid ential files Access to crypto keys Putting Trojan horses Disabli ng protect ion of compo nents Alterin g audit trails and logs SAYES SENOYESNO YESNOYESNOYES NO AttributeValue - SA IntentHostile AccessInternal, External Outcome/Goal Damage, Acquisition/Theft Limits Code of Conduct, Legal, Extra-legal ResourcesIndividual Minimum SkillsAdept ObjectiveCopy, Destroy, Take VisibilityClandestine Matching attributes-values Mapping Insiders to Threats Attack goals: -degradation of the performance of the system, -theft of sensitive data

15 Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 15 Methodology application – Attack Paths ADVISE attack execution graph for Data Theft Rectangular boxes represent the attack steps; Squares are the access domain; Circles are the knowledge items; Ovals represent the attack goal.

16 Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 16 Methodology application - Countermeasures Countermeasures: Identify the sensitive data and set up a detection system that prevents all queries on such data Keep track of accesses (username, timestamp, event description (computer system, devices, utilized software, software installation, error condition, etc.). Implement biometric system, which every predetermined time (minutes, hours), performs an identity check. Avoid to log into the system during holiday days or outside the office hours. Allow printing reports only in specific printers Implement an e-mail system with an automatic cc forwarding to a higher-ranking person.

17 Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 17Conclusions Several techniques exists to avoid or detect the risk that a legitimate user abuses of its authority. Technological protection from external threats is important, but Defending against insider attacks is and will remain challenging. Insider attacks are difficult to detect, either by human or technical means. We identified a lack in the definition of a methodology and related supports for the systematic investigation and assessment of insider threats.

18 Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 18 Future works Define a method which supports the creation, usage and maintenance of the threats library. Identify an approach to support the selection of the input parameters that characterize the attack path to understand the costs and dangerousness of an attack. Mapping between the Insider Library and ADVISE profiles must be provided, also assigning numerical values.

19 Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 19 Thank You

Download ppt "Meeting TENACE PhD Session Fai della Paganella, 11 febbraio 2014 R esilient C omputing L ab A methodology and supporting techniques for the assessment."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Chapter 1 - 1 ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Systems Security Engineering An Updated Paradigm INCOSE Enchantment Chapter November 8, 2006 John W. Wirsbinski.

Systems Security Engineering An Updated Paradigm INCOSE Enchantment Chapter November 8, 2006 John W. Wirsbinski.
Configuration management

Configuration management
Software change management

Software change management
1 Dr. Ashraf El-Farghly SECC. 2 Level 3 focus on the organization - Best practices are gathered across the organization. - Processes are tailored depending.

1 Dr. Ashraf El-Farghly SECC. 2 Level 3 focus on the organization - Best practices are gathered across the organization. - Processes are tailored depending.
Chapter 7: Physical & Environmental Security

Chapter 7: Physical & Environmental Security
Database System Concepts and Architecture

Database System Concepts and Architecture
2009 – E. Félix Security DSL Toward model-based security engineering: developing a security analysis DSML Véronique Normand, Edith Félix, Thales Research.

2009 – E. Félix Security DSL Toward model-based security engineering: developing a security analysis DSML Véronique Normand, Edith Félix, Thales Research.
McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 20 Systems Operations and Support.

McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 20 Systems Operations and Support.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.
Ranking of security controlling strategies driven by quantitative threat analysis. Tavolo 2: Big data security evaluation UNIFI-CNR Nicola Nostro, Andrea.

Ranking of security controlling strategies driven by quantitative threat analysis. Tavolo 2: "Big data security evaluation" UNIFI-CNR Nicola Nostro, Andrea.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Security Controls – What Works

Security Controls – What Works
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.

Similar presentations

Ads by Google